[LON-CAPA-cvs] cvs: loncom / loncapa_apache.conf loncron /lonnet/perl londns.pm lonnet.pm
raeburn
raeburn at source.lon-capa.org
Wed Jul 18 09:45:04 EDT 2018
raeburn Wed Jul 18 13:45:04 2018 EDT
Modified files:
/loncom loncron loncapa_apache.conf
/loncom/lonnet/perl londns.pm lonnet.pm
Log:
- Add nightly update of Certificate Revocation List (from CA) to loncron.
-------------- next part --------------
Index: loncom/loncron
diff -u loncom/loncron:1.105 loncom/loncron:1.106
--- loncom/loncron:1.105 Fri Oct 20 11:54:54 2017
+++ loncom/loncron Wed Jul 18 13:44:55 2018
@@ -2,7 +2,7 @@
# Housekeeping program, started by cron, loncontrol and loncron.pl
#
-# $Id: loncron,v 1.105 2017/10/20 11:54:54 raeburn Exp $
+# $Id: loncron,v 1.106 2018/07/18 13:44:55 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -942,6 +942,14 @@
}
}
+sub update_revocation_list {
+ if (&Apache::lonnet::fetch_crl_pemfile() eq 'ok') {
+ print "Certificate Revocation List (from CA) updated.\n";
+ } else {
+ print "Certificate Revocation List from (CA) not updated.\n";
+ }
+}
+
sub send_mail {
my $defdom = $perlvar{'lonDefDomain'};
my $origmail = $perlvar{'lonAdmEMail'};
@@ -1134,6 +1142,7 @@
&write_checksums();
&write_connection_config();
&write_hosttypes();
+ &update_revocation_list();
if ($totalcount>200 && !$noemail) { &send_mail(); }
}
}
Index: loncom/loncapa_apache.conf
diff -u loncom/loncapa_apache.conf:1.262 loncom/loncapa_apache.conf:1.263
--- loncom/loncapa_apache.conf:1.262 Fri Jan 12 13:34:08 2018
+++ loncom/loncapa_apache.conf Wed Jul 18 13:44:55 2018
@@ -2,7 +2,7 @@
## loncapa_apache.conf -- Apache HTTP LON-CAPA configuration file
##
-# $Id: loncapa_apache.conf,v 1.262 2018/01/12 13:34:08 raeburn Exp $
+# $Id: loncapa_apache.conf,v 1.263 2018/07/18 13:44:55 raeburn Exp $
#
# LON-CAPA Section (extensions to httpd.conf daemon configuration)
@@ -1805,6 +1805,7 @@
PerlSetVar lonnetCertificateAuthority loncapaCA.pem
PerlSetVar lonnetCertificate lonhostcert.pem
PerlSetVar lonnetHostnameCertificate lonhostnamecert.pem
+PerlSetVar lonnetCertRevocationList loncapaCAcrl.pem
#
# To generate the request for a certificate, and to negotiate the
Index: loncom/lonnet/perl/londns.pm
diff -u loncom/lonnet/perl/londns.pm:1.4 loncom/lonnet/perl/londns.pm:1.5
--- loncom/lonnet/perl/londns.pm:1.4 Thu Nov 30 14:33:35 2017
+++ loncom/lonnet/perl/londns.pm Wed Jul 18 13:45:03 2018
@@ -1,7 +1,7 @@
# The LearningOnline Network with CAPA
# A debugging harness.
#
-# $Id: londns.pm,v 1.4 2017/11/30 14:33:35 raeburn Exp $
+# $Id: londns.pm,v 1.5 2018/07/18 13:45:03 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -35,8 +35,11 @@
use Apache::lonnet;
sub serve_file {
- my ($r,$file,$type)=@_;
- if (open(my $config,"<","$Apache::lonnet::perlvar{'lonTabDir'}/$file")) {
+ my ($r,$dir,$file,$type)=@_;
+ if (($dir eq '') || ($file eq '')) {
+ return FORBIDDEN;
+ }
+ if (open(my $config,"<","$dir/$file")) {
my $contents = join('',<$config>);
$r->content_type($type);
$r->send_http_header;
@@ -52,13 +55,18 @@
my ($r) = @_;
my $command = (split('/',$r->uri))[3];
+ my $dir = $Apache::lonnet::perlvar{'lonTabDir'};
if ($command eq 'hosts') {
- return &serve_file($r,'dns_hosts.tab','loncapa/hosts');
+ return &serve_file($r,$dir,'dns_hosts.tab','loncapa/hosts');
} elsif ($command eq 'domain') {
- return &serve_file($r,'dns_domain.tab','loncapa/domain');
+ return &serve_file($r,$dir,'dns_domain.tab','loncapa/domain');
} elsif ($command eq 'checksums') {
my $version = (split('/',$r->uri))[4];
- return &serve_file($r,"dns_checksums/$version.tab",'loncapa/versions');
+ return &serve_file($r,$dir,"dns_checksums/$version.tab",'loncapa/versions');
+ } elsif ($command eq 'loncapaCRL') {
+ $dir = $Apache::lonnet::perlvar{'lonCertificateDirectory'};
+ return &serve_file($r,$dir,$Apache::lonnet::perlvar{'lonnetCertRevocationList'},
+ 'application/x-pem-file');
}
return FORBIDDEN;
}
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.1378 loncom/lonnet/perl/lonnet.pm:1.1379
--- loncom/lonnet/perl/lonnet.pm:1.1378 Wed Jul 4 16:58:29 2018
+++ loncom/lonnet/perl/lonnet.pm Wed Jul 18 13:45:03 2018
@@ -1,7 +1,7 @@
# The LearningOnline Network
# TCP networking package
#
-# $Id: lonnet.pm,v 1.1378 2018/07/04 16:58:29 raeburn Exp $
+# $Id: lonnet.pm,v 1.1379 2018/07/18 13:45:03 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -13519,15 +13519,17 @@
}
my %alldns;
- open(my $config,"<","$perlvar{'lonTabDir'}/hosts.tab");
- foreach my $dns (<$config>) {
- next if ($dns !~ /^\^(\S*)/x);
- my $line = $1;
- my ($host,$protocol) = split(/:/,$line);
- if ($protocol ne 'https') {
- $protocol = 'http';
+ if (open(my $config,"<","$perlvar{'lonTabDir'}/hosts.tab")) {
+ foreach my $dns (<$config>) {
+ next if ($dns !~ /^\^(\S*)/x);
+ my $line = $1;
+ my ($host,$protocol) = split(/:/,$line);
+ if ($protocol ne 'https') {
+ $protocol = 'http';
+ }
+ $alldns{$host} = $protocol;
}
- $alldns{$host} = $protocol;
+ close($config);
}
while (%alldns) {
my ($dns) = sort { $b cmp $a } keys(%alldns);
@@ -13535,19 +13537,33 @@
my $response = &LONCAPA::LWPReq::makerequest('',$request,'',\%perlvar,30,0);
delete($alldns{$dns});
next if ($response->is_error());
- my @content = split("\n",$response->content);
- unless ($nocache) {
- &do_cache_new('dns',$url,\@content,30*24*60*60);
- }
- &$func(\@content,$hashref);
- return;
+ if ($url eq '/adm/dns/loncapaCRL') {
+ return &$func($response);
+ } else {
+ my @content = split("\n",$response->content);
+ unless ($nocache) {
+ &do_cache_new('dns',$url,\@content,30*24*60*60);
+ }
+ &$func(\@content,$hashref);
+ return;
+ }
+ }
+ my $which = (split('/',$url,4))[3];
+ if ($which eq 'loncapaCRL') {
+ my $diskfile = "$perlvar{'lonCertificateDirectory'}/$perlvar{'lonnetCertRevocationList'}";
+ if (-e $diskfile) {
+ &logthis("unable to contact DNS, on disk file $diskfile not updated");
+ } else {
+ &logthis("unable to contact DNS, no on disk file $diskfile available");
+ }
+ } else {
+ &logthis("unable to contact DNS defaulting to on disk file dns_$which.tab\n");
+ if (open(my $config,"<","$perlvar{'lonTabDir'}/dns_$which.tab")) {
+ my @content = <$config>;
+ close($config);
+ &$func(\@content,$hashref);
+ }
}
- close($config);
- my $which = (split('/',$url))[3];
- &logthis("unable to contact DNS defaulting to on disk file dns_$which.tab\n");
- open($config,"<","$perlvar{'lonTabDir'}/dns_$which.tab");
- my @content = <$config>;
- &$func(\@content,$hashref);
return;
}
@@ -13607,6 +13623,47 @@
return \%checksums;
}
+sub fetch_crl_pemfile {
+ return &get_dns("/adm/dns/loncapaCRL",\&save_crl_pem,1,1);
+}
+
+sub save_crl_pem {
+ my ($response) = @_;
+ my $msg;
+ if (ref($response)) {
+ my $now = time;
+ my $lonca = $perlvar{'lonCertificateDirectory'}.'/'.$perlvar{'lonnetCertificateAuthority'};
+ my $tmpcrl = $tmpdir.'/'.$perlvar{'lonnetCertRevocationList'}.'_'.$now.'.'.$$.'.tmp';
+ if (open(my $fh,'>',"$tmpcrl")) {
+ print $fh $response->content;
+ close($fh);
+ if (-e $lonca) {
+ if (open(PIPE,"openssl crl -in $tmpcrl -inform pem -CAfile $lonca -noout 2>&1 |")) {
+ my $check = <PIPE>;
+ close(PIPE);
+ chomp($check);
+ if ($check eq 'verify OK') {
+ my $dest = "$perlvar{'lonCertificateDirectory'}/$perlvar{'lonnetCertRevocationList'}";
+ if (-e $dest) {
+ &File::Copy::move($dest,"$dest.bak");
+ }
+ if (&File::Copy::move($tmpcrl,$dest)) {
+ $msg = 'ok';
+ }
+ } else {
+ unlink($tmpcrl);
+ }
+ } else {
+ unlink($tmpcrl);
+ }
+ } else {
+ unlink($tmpcrl);
+ }
+ }
+ }
+ return $msg;
+}
+
# ------------------------------------------------------------ Read domain file
{
my $loaded;
More information about the LON-CAPA-cvs
mailing list